Idfy delivers trust services, which require diligent focus on information security in our organization. Idfy has therefore implemented an information security program lead by Idfy’s management, and an information security system (ISMS) following the ISO/IEC 27001:2013 standard.
Idfy’s information security program entails a series of security controls including, but not limited to, HR policies, user access controls, physical and logical access controls, software development controls, and cryptographic controls in order to ensure integrity, availability and confidentiality of the data we process.
KPMG audits and certifies Idfy’s information security system every two years. Watchcom AS performs annual penetration testing of our services.
Feel free to contact us if you have any questions around our information security
Idfy utilizes Microsoft Azure cloud services hosting for our standard SaaS solutions. With Microsoft Azure, Idfy can take advantage of a large network of datacenters to maintain high availability and security in a cost-efficient manner. Microsoft Azure provides infrastructure and services to natively support high availability, disaster recovery and backup of applications and data. Idfy uses North Europe and West Europe as our data center regions in Microsoft Azure.
For specialized solutions and custom solutions for customers, Idfy also utilizes the hosting provider Basefarm AS in Oslo, Norway, using a dual-site redundant data center setup (full HA configuration) with independent network and power connections. This gives a highly secure and reliable hosting setup, and guaranteed storage of data on Norwegian soil. Our data centers at Basefarm are certified according to the ISO 27001, ISO 14001 and PCI DSS standards.
All Idfy employees are required to provide valid police certificates prior to employment at Idfy. Only authorized personnel can access customer data for operations and support purposes.
Several physical and logical access controls are implemented for both offices and operational facilities (data centers). Controls include among others video surveillance, alarms and physical barriers.
Idfy’s APIs are protected using a centralized API gateway with firewall and management and logging of API requests, and Idfy’s centralized authentication and authorization service. All Idfy APIs use OAuth2 as the protocol for API authentication of all API calls, and all communication with Idfy services require encryption using TLS. Idfy’s services also support IP filtering.
Idfy uses industry leading hardware security modules (HSMs) to protect transactions, identities, and applications. HSMs excel at securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications. Idfy has dedicated network HSMs in a redundant setup. Idfy operates hardware security modules to protect sensitive secrets and keys for our customers.
In Idfy’s software, industry standard encryption is used, following requirements for algorithms and key lengths. Idfy’s standards require:
Idfy’s country of incorporation and operations, Norway, has historically had some of the world’s most rigorous privacy and data protection laws, further strengthened under the common European General Data Protection Regulation (GDPR) in 2018. Idfy follows best practice guidelines developed by the The Norwegian Data Protection Authority (DPA). These measures include, but are not limited to, deleting data when they are no longer in use, anonymization of personal data, consent screen flows and data labeling. In addition, Idfy follows guidelines for Software development with data protection by design and by default, so that protection of data is enabled in all phases of the information life cycle.
For delivery of its services for digital identification, digital signatures and other services, Idfy acts as the data processor on behalf of its customers and has data processing agreements with its customers. Customer’s data are not used for any other purpose than operations of delivery of the services. Idfy only stores data as long as necessary to operate the agreed services, and for being able to provide technical support to its customers in the delivery of the services.